IETF Logo Mail Archive

Re: [Dime] Question on realm validity in answer messages

Jouni Korhonen <jouni.nospam@gmail.com> Thu, 08 May 2014 19:08 UTC

Return-Path: <jouni.nospam@gmail.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 769231A0119 for <dime@ietfa.amsl.com>; Thu, 8 May 2014 12:08:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TbS3VVJYeccA for <dime@ietfa.amsl.com>; Thu, 8 May 2014 12:08:02 -0700 (PDT)
Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) by ietfa.amsl.com (Postfix) with ESMTP id BAB521A0118 for <dime@ietf.org>; Thu, 8 May 2014 12:08:01 -0700 (PDT)
Received: by mail-lb0-f172.google.com with SMTP id l4so4251574lbv.17 for <dime@ietf.org>; Thu, 08 May 2014 12:07:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=XXg/nLnXb6AAg0P5mdUPGoUOLOaS4fSvYpHFSgbwTRk=; b=NXJ5T21V1wnaOB9La8Mo7IoiUAFh97AZmoT9C7n/85aGDb9cq0/37+qWeN/fwWRxQe Q5wJQH7avwypRDDTxYTJf4XGqrjZ1k3OuScEtY1Q01armpnKUutTGYr+vm64fwHqbYVu pgP6FXF3hNRKv8u6FjMkieiTXBi1lqlZ99hX9MWuGOOGVddPuAFzRM+Cy8DTLogOPn31 /kmUsIB/kde24FXqveQc289lWI1mBon2Zqe/TxPCg+HRuLouDwx/5xXp1z6/P4b7XrmG ApFQAsgZa9LYCdeGv7bTTIC5zZ629WXe7PUCRQpAs3WC878e4SGTHLDa+a3LD9b7lcFg i44A==
X-Received: by 10.112.24.9 with SMTP id q9mr6219651lbf.23.1399576076371; Thu, 08 May 2014 12:07:56 -0700 (PDT)
Received: from [188.117.15.101] ([188.117.15.101]) by mx.google.com with ESMTPSA id q8sm1856786lbr.28.2014.05.08.12.07.55 for <dime@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 08 May 2014 12:07:55 -0700 (PDT)
Message-ID: <536BD60A.6070202@gmail.com>
Date: Thu, 08 May 2014 22:07:54 +0300
From: Jouni Korhonen <jouni.nospam@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: dime@ietf.org
References: <0EFE155B2AF9B44A9537DA67801704F96B3341E2@ROCK5.qtel.ad.pri>
In-Reply-To: <0EFE155B2AF9B44A9537DA67801704F96B3341E2@ROCK5.qtel.ad.pri>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/dime/0g4i5TPrkN3DlpQns786TX3riLU
Subject: Re: [Dime] Question on realm validity in answer messages
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 May 2014 19:08:04 -0000

Your load balancer is misbehaving. Unfortunately you don't find any 
exact specification language to prohibit the proxy vendor doing this.

- Jouni



5/8/2014 8:44 AM, Marco Stura kirjoitti:
> Dear all,
>
> I’m facing the following situation.
>
> |----------------------------
> SPrealm--------------------------------------------------|
>
>                                                                                     _----------- Server 1(realm a)
>
>
>                                   _
>
>                                                                               _
>
> Client ------------------ Proxy(SPrealm) ---------------- Server 2(realm b)
>
>                                                                              _
>
>
>                                                        _
>
>                                                                                     _
>
>                                                                                         ---------- Sever 3 (realm c)
>
> The implementation is such that the Proxy is load balancing by selecting
> the internal Server where the subscriber data are provisioned, based on
> user identity.
>
> The Client is sending an application specific authorization request to
> the Proxy for NAI user@SPrealm, Destination-Realm == SPrealm.
>
> The Proxy selects e.g. Server 2 based on user@SPrealm and send the
> request there changing the Destination-Realm to realm b.
>
> Server 2 processes the request generates an answer and send it to the
> Proxy with Origin-Host == server2@realm b, Origin-Realm == realm b.
>
> The Proxy forward the answer to the Client, that receives a successful
> authorization answer from a realm that is different from the one
> supposed to serve the user (as in the NAI).
>
> The client terminates the session with STR to Destination-Host ==
> server2@realm b, Destination-Realm == realm b, Termination-Cause ==
> Diameter_bad_answer
>
> The Proxy and the Servers are part of the same implementation, which
> apparently requires this kind of configuration to work.
>
> In RFC 6733 (or RFC 3388) it is not explicitly stated how to deal with
> cases where a successful authorization answer is coming from a server
> located in a different realm than the home realm of the user (as per NAI).
>
> However, to say the least, this configuration is quite bizarre and the
> client IMHO is right to terminate the session as this behavior may looks
> to the client like an answer from a malicious node. But I don’t remember
> any discussion on this aspects back at the Diameter protocol development
> time…..
>
> Any opinion on this scenario?
>
> BR,
>
> Marco
>
>
> ------------------------------------------------------------------------
>
> The information in this email and any attachments thereto may contain
> information that is confidential, protected by intellectual property
> rights, and may be legally privileged. It is intended solely for the
> addressee(s). Access to this email by anyone else is unauthorized. Any
> use, disclosure, copying, or distribution of the information contained
> herein by persons other than the designated addressee is unauthorized
> and may be unlawful. If you are not the intended recipient, you should
> delete the message immediately from your system. If you believe that you
> have received this email in error, please contact the sender. Any views
> expressed in this email and its attachments are those of the individual
> sender except where the sender expressly states them to be the views of
> Ooredoo.
>
>
> _______________________________________________
> DiME mailing list
> DiME@ietf.org
> https://www.ietf.org/mailman/listinfo/dime
>

v2.23.0 | Report a Bug | By Email